Responsibilities and definitions
Controller – the company using the Cyberon Centry to protect their infrastructure is responsible for the processing of data, including personal data. This will normally be the customer/the employer.
Processor – Cyberon Security processes the data on behalf of the controller and is responsible for implementing appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the General Data Protection Regulation and ensure the protection of the rights of the data subject.
The data subject – the directly or indirectly identifiable person whose data are being collected, stored or other wised processed. This will normally be the employee or other persons using the customers infrastructure.
Processing – any operation or set of operations which is performed on personal data or on sets of personal data.
Personal data – any information relating to an identified or identifiable natural person (the data subject).
Purpose of processing
Cyberon Centry is used to secure the processing of information in the controller’s infrastructure. The service detects and reports events related to the potential threats as known vulnerabilities, malicious code, infected web pages, malicious applications, vulnerable services, attempted attacks as well as other events related to the confidentiality, integrity and availability related to the controller’s business and their employees.
Events that are associated with such risks are detected, analysed (manually) and reported to the controller.
The types of personal data processed by Cyberon Centry:
- Login to the domain (date, IP, successful or not)
- Reading, deleting or moving file (date, IP, action, rights)
- Email (sender, recipient, subject, IP sender, IP receiver)
- The use of unsafe services-whether it be sent password, personal identification number, e-mail or other sensitive data over a non-encrypted link (date, IP, service)
- Registered username or email is checked against the base with compromised password (service and user/email)
Processing, reporting and sharing of data
The data collected by Cyberon Centry is stored, structured and made available to the controller by Cyberon Security.
All reporting is conducted in such a way that the identity of the data subject is not revealed, with exception of any legal order or:
- When necessary to maintain the day-to-day operations or other legitimate interests of the controller.
- Due to the legitimate suspicion that the data subject’s use of the infrastructure entails a gross violation of the subject’s duties and obligations or may provide a basis for termination of contract or dismissal.
In such cases the controller is responsible to inform the data subject.
Beyond this, personal data or data related to the controller, are not shared with other parties or individuals.
Anonymised data, data that cannot be related to an individual, can be used by Cyberon Security for research and development internally or in cooperation with 3. party.
Cyberon Centry monitors network traffic and events including processes, data access, system usage and application logs. It also retrieves logs from equipment or services such as firewalls, servers, antivirus solutions, e-mail protection and cloud services (Office 365).
Data is transmitted and stored encrypted (TLS and Dm-crypt) and is subject to monitoring for three months. Then the data will be taken offline and stored securely on Cyberon’s servers. The servers handle data behind three security zones. The access control enables only authorised persons to access the data. All treatment is subject to confidentiality.
Data are stored on Cyberon’s servers in Norway. Personal data not related to special events, are anonymised after 12 months. Upon termination of agreement all data that may be linked to the data subject will be anonymised or deleted in accordance with the agreement with the controller.
Rights of the data subject
The data subject has the right to:
- request access to their personal data
- rectification or erasure of personal data or restriction of processing
- object to processing as well as the right to data portability
- lodge a complaint with a supervisory authority – The Norwegian Data Protection Authority
For more information see Article 15 – 21 in the General Date Protection Regulation for information about access, rectification, erasure, restriction and data portability.
Please contact your us for any requests regarding our processing of your personal data.
Cyberon Security AS
0277 OSLO, Norway
Erlend Udnesseter Data Protection Officer